Security

(public)

User Story

This version of browserid-verifier includes additional logging for failed verification attempts, which should help us to track down what's going on in Bug 1045502 and Bug 1059787.
Please deploy it to stage for both tokenserver-local and standalone verifier stacks. Since our loadtest includes some proportion of bad signatures, we should be able to verify whether the logs are coming through correctly.

OK, went back and verified some configs and yamls on TokenServer+Verifier.
For the standalone Verifier:
Verified a single instance deployed to the same CF stack: fxa-bv-stage
i-5175f97c
ec2-54-80-51-114
Code version: fxa-browserid-verifier-svcops 0.2.3-1 x86_64 47459269
Verified the processes, files, and logs.
Verified configs and yamls.
Quick test was successful.
So, all load testing will begin tomorrow.

Stand-alone Verifier:
Nginx access.log:
There are just a few stray 404s/405s on the Verifier, which appear to be bot-related.
The verifier_err.log has one line in it: "express: res.json(obj, status): Use res.json(status, obj) instead"
The timestamp on that is about 4 hours old.
The verifier_out.log contains some entries that look like this:
{"op":"bid.v2","name":"bid.v2","time":"2014-09-12T00:07:30.991Z","pid":2716,"v":1,"hostname":"ip-10-51-168-73","message":"verify { result: 'failure',\n reason: 'untrusted issuer, expected \\'login.mozilla.org\\', got \\'mockmyid.s3-us-west-2.amazonaws.com\\'',\n assertion: '...etc...
...etc...',\n trustedIssuers: [],\n rp: 'https://secret.mozilla.com' }"}
I believe this is ok.
TS+Verifier:
The nginx access log has the usual 200s and 401s.
And a couple of stray 404s that look like bot activity.
The token.error.log shows the following:
Exception KeyError: KeyError(27265776,)...etc...
The token.log has the expected 200s, 401s, and connection pool messages.
The verifier_err.log file has express: res.json(obj, status): Use res.json(status, obj) instead
same as with the standalone Verifier (and about 4 hours old)
The verifier_out.log file has failures that look like this:
{"op":"bid.v2","name":"bid.v2","time":"2014-09-12T00:04:37.705Z","pid":3335,"v":1,"hostname":"ip-10-165-100-194","message":"verify { result: 'failure',\n reason: 'expired',\n assertion: '...etc...
...etc...',\n trustedIssuers: \n [ 'api.accounts.firefox.com',\n 'api-accounts.stage.mozaws.net',\n 'api-accounts-dev.stage.mozaws.net',\n 'api-accounts.dev.lcip.org',\n 'api-accounts-latest.dev.lcip.org',\n 'nightly.dev.lcip.org',\n 'latest.dev.lcip.org' ],\n rp: 'https://token.stage.mozaws.net' }"}
I need these double-checked by Dev and OPs.